Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Dynamic IPv6 Prefix Delegation to Layer 3 Switch
« previous
next »
Print
Pages: [
1
]
Author
Topic: Dynamic IPv6 Prefix Delegation to Layer 3 Switch (Read 1263 times)
jeweledrover
Newbie
Posts: 5
Karma: 0
Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
on:
March 06, 2024, 09:57:08 am »
I have an OPNSense firewall connected to an ICX 7250-C12P switch running layer 3 (router) firmware.
I have three VLANS - management, clients and IOT. Nothing on native VLAN. Currently I use ISC DHCP on OPNSense so have to have all three interfaces on the firewall connected via a tagged switch port. I will move to Kea and use a single trunk for firewall to switch with DHCP helper for IPv4 soon.
My ISP currently gives me only a single /64 IPv6 via DHCPv6 PD over IPv4 which is in theory dynamically assigned. It’s a new function for them and I’ve pointed them at the RIPE best practice guidance 😝
I want to give my clients VLAN the only prefix and allow them to use SLAAC. I don’t care if only this one subnet has a GUA prefix. How/which technology do I use to achieve this?
I’ve set the trunk giving each a ULA. I assume I want to do something with RA but I’m a little lost!
What I’m hoping to achieve is this…
1 - OPNSense retrieves PD from ISP over DHCPv6 via IPv4 PPPoE link - done although ISP does not give me a link IP so using LL to gateway
2 - Single ‘trunk’ (I think this is the right term) layer 3 connection to sub-router (layer 3 switch)
3 - Layer 3 switch has three VLANs. I want one of these VLANs to receive GUA IPv6 addresses from the single /64 prefix I have so they can use SLAAC.
I’m thinking the way to do this is to assign each VLAN’s SVI a /64 ULA prefix so every client can have an IPv6 address. But then somehow also let the clients VLAN SVI have a GUA address and prefix. I’m just unclear what I should be doing bearing in mind I don’t want to have to reconfigure my switch if my GUA prefix changes
Logged
bimbar
Sr. Member
Posts: 435
Karma: 25
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #1 on:
March 06, 2024, 10:27:01 am »
ULA are not very useful as they have a lower priority than IPv4.
In any case you would have to do masquerading on your outbound interface.
It all doesn't sound like a good idea to me.
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #2 on:
March 06, 2024, 10:58:34 am »
Yep. ULA are essentially useless if the goal is Internet access.
https://blog.ipspace.net/2022/05/ipv6-ula-made-useless.html
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
jeweledrover
Newbie
Posts: 5
Karma: 0
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #3 on:
March 06, 2024, 11:31:00 am »
OK,
So I don’t give a ULA to the clients VLAN and only give devices and the SVI on the switch a GUA. Other VLANs can have ULAs or not, doesn’t really matter. Is there a way to “redelegate” the whole prefix to the switch for just ONE VLAN.
I assume no masquerading is needed as I’d set a default IPv6 route on the layer 3 switch and a route for the prefix to the layer switch on OPNSense
But I assume I’d have to have an interface on OPNSense with a GUA in the same prefix though? Can I not route GUA traffic over ULA links?
Let me simplify this for a moment to help me understand the concepts…
I have OPNSense as my firewall. It has LAN and WAN interfaces. WAN receives IPv4 with PPPoE and a single /64 PD via DHCPv6 over IPv4. WAN interface therefore has single IPv4 address and a LL address.
LAN has a static IPv4 address with a DHCP service running for clients. LAN is set to track interface for IPv6 and Router Advertisement is set to Unmanaged.
LAN is connected to layer 3 switch via a routed interface (this is what I meant when I said trunk port). Layer 3 switch has two VLANs with two corresponding SVIs on two subnets with ACLs. I assume with the appropriate routes this will just work but unless I filter RA somehow on the switch, both VLANs are on the same IPv6 subnet which would be an issue when writing ACLs?
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #4 on:
March 06, 2024, 11:56:28 am »
You cannot subnet an IPv6 /64. It's the smallest (actually the only) possible prefix in an Ethernet network. Anything else breaks SLAAC, RA, ... almost everything that makes IPv6 work smoothly.
What I do if I need a "private" /64 somewhere is pick a GUA that
I know is not used anywhere
. E.g. each my home network and our two office locations have static /56 allocations from Deutsche Telekom. Since I need only a handful of the 256 /64 networks that gives me per location I can use others in other places and NAT or NPT them.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
jeweledrover
Newbie
Posts: 5
Karma: 0
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #5 on:
March 06, 2024, 01:21:08 pm »
To be clear. I don’t wish to subnet a /64 prefix. I am not looking to share a /64 between different networks. I want to give a /64 prefix to only one of my two networks (because I only have one) and do not know how to do this when a subrouter is involved
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #6 on:
March 06, 2024, 01:47:20 pm »
The other network also needs some IPv6 prefix or how are you intending to route?
OK, theoretically you could use strictly link-local addresses on all other links. I admit I never tried that.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
jeweledrover
Newbie
Posts: 5
Karma: 0
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #7 on:
March 06, 2024, 02:04:25 pm »
The other network can be IPv4 only for the purposes of this example.
The bit I don’t know how to do is re-delegate my whole /64 PD from OPNSense to a subrouter.
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #8 on:
March 06, 2024, 03:36:49 pm »
OPNsense needs more than a /64 to delegate a smaller allocation. That's just how it works. Can't you "just" configure it statically?
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
jeweledrover
Newbie
Posts: 5
Karma: 0
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #9 on:
March 06, 2024, 09:57:05 pm »
So is there no technology that can pass the entire /64 prefix a router receives to another router?
Logged
Patrick M. Hausen
Hero Member
Posts: 6841
Karma: 574
Re: Dynamic IPv6 Prefix Delegation to Layer 3 Switch
«
Reply #10 on:
March 06, 2024, 09:58:45 pm »
Not to my knowledge.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
Dynamic IPv6 Prefix Delegation to Layer 3 Switch